Digital Services Act Labels

Digital Services Act - Transparency Labels and Markings

Effective Date: February 26, 2026

Service Provider

YukiSoftware OÜ

Estonian Company Registration Number: 16687784

1. Service Classification

1.1 Primary Categories

  • Service Type: Personal data management and productivity application
  • Main Purpose: Automated extraction and organization of structured insights from user emails and calendar data (travel itineraries, financial transactions, delivery tracking, calendar events)
  • User Interface Type: Mobile application (iOS, Android) and web portal
  • User Base: Individual consumers in the EU and worldwide

1.2 Data Handling Categories

  • Primary: Email inbox data (read-only access via Gmail API)
  • Secondary: Calendar events, contacts, account authentication data
  • Processing Method: On-device where possible; cloud processing via OpenAI API for natural language understanding
  • Data Retention: Derived insights stored indefinitely; raw email data deleted after processing

2. Risks and Risk Mitigation Measures

2.1 Systemic Risks Identified

Data Privacy & Security

Risk: Unauthorized access to sensitive user personal data (emails, financial info, travel plans)

Mitigation:

  • End-to-end encryption for data in transit (TLS 1.3+)
  • PostgreSQL with AES-256 encryption at rest via Supabase
  • Row-Level Security (RLS) policies enforcing user data isolation
  • No raw email bodies stored permanently; only extracted insights retained
  • Annual security audits and penetration testing
  • GDPR compliance with user data deletion on account termination

Third-Party Data Sharing

Risk: Inadvertent sharing of personal data with unauthorized third parties

Mitigation:

  • Data Processing Agreements (DPA) with all processors (OpenAI, Sentry, PostHog, Cloudflare, Microsoft Clarity)
  • No data sale or commercial sharing with third parties
  • Limited third-party integrations with explicit user consent
  • Regular audits of third-party data access

AI/ML Model Training Risks

Risk: User data being used to train or improve AI models without consent

Mitigation:

  • Explicit contractual prohibition with OpenAI against model training on customer data
  • No model fine-tuning or custom training on user data
  • Clear privacy policy disclosing AI processing methods
  • User opt-out mechanisms for AI-powered features (email extraction)

Authentication & Authorization Vulnerabilities

Risk: Unauthorized account access or privilege escalation

Mitigation:

  • OAuth 2.0 with Google and Apple Sign-In (no password storage)
  • Secure token management with refresh token rotation
  • Session management with automatic expiration
  • Two-factor authentication ready (future enhancement)

Illegal Content or Activities

Risk: Platform used for facilitating illegal activities (fraud, phishing, etc.)

Mitigation:

  • Terms of Service prohibiting illegal use
  • Abuse reporting mechanism in app and web portal
  • Account suspension and law enforcement cooperation procedures
  • No user-generated content moderation required (personal data only)

2.2 Content Moderation Measures

As a personal data management tool, Yuki does not host user-generated content, forums, or social features. Therefore, traditional content moderation is not applicable.

  • Abuse Reporting: Users can report abuse via email ([email protected]) or in-app contact form
  • Takedown Requests: GDPR subject access requests and deletion requests are processed within 30 days
  • DMCA/Copyright: No user-uploaded media; copyright concerns handled on a case-by-case basis

3. Service Provider Information

Legal Entity

YukiSoftware OÜ

Registration Number

16687784 (Estonia)

Principal Place of Business

Tallinn, Estonia

Contact for DSA Inquiries

[email protected]

Terms of Service

Available at yukihq.com/terms

Privacy Policy

Available at yukihq.com/privacy

4. User Rights & Remedies

  • Data Access: Users can download their data via account settings or request a complete data export
  • Data Deletion: Users can delete their account and all associated data at any time
  • Correction: Users can update their profile information in account settings
  • Withdrawal of Consent: Users can disconnect Gmail, Calendar, and Contacts integrations at any time
  • Complaint Handling: Support requests are processed within 5 business days; formal complaints can be escalated to supervisory authorities

5. Additional Information

This document is provided in accordance with Article 24 of the Digital Services Act (2022/1957/EU) and is updated regularly as our service and risk profile evolves.

Last Updated: February 26, 2026